1. Field
This application relates to communication networks and, more particularly, to a method and apparatus for generating large numbers of encryption keys for use on a communication network.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, hubs, proxies, and other devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network elements,” and may provide a variety of network resources and services on the network. Conventionally, data has been communicated through data communication networks by passing protocol data units (such as packets, cells, frames, or segments) between the network elements by utilizing one or more communication links extending between the network elements. A particular protocol data unit may be handled by multiple network elements and cross multiple communication links as it travels between its source and its destination over the network.
To allow communications to take place in a secure manner on the communication network, it has become common to encrypt the communications, generally using encryption keys. Encryption keys are random strings of numbers that may have any number of characters. The longer the character string, and the more unpredictable the characters in the string, the stronger the key is said to be. As keys become stronger, the communications they encrypt become safer because it is harder to guess or infer the key that was used to encrypt the communication.
Since the strength of an encryption key depends in large part on the unpredictability of the characters in the key, generation of strong encryption keys requires the key generation program or network element to have access to a source of random numbers, referred to herein as an entropy source. If the entropy source is predictable, the values created by the entropy source will be easier to guess, and the strength of the keys created by the entropy source will be reduced accordingly.
Physical entropy sources may be used to generate random numbers for use in creating encryption keys, and may be considered somewhat superior to software entropy sources due to the unpredictability of the random information created. A few physical entropy sources include thermal noise, radioactive decay, oscillators, and disc drives, although other physical entropy sources exist as well. While physical entropy sources are able to generate truly random information, and hence may be used to create very strong encryption keys, they generally tend to be relatively slow. For example, the rotational speed of the disc in a computer disc drive may be used to generate random information. However, since the speed may not vary considerably in a short period of time, a disc drive-based physical entropy source may only generate sufficient random information to generate up to a few keys per second. As the keys become larger, the rate at which they may be generated is concomitantly reduced.
As networks have become larger, and the number of entities encrypting traffic on the networks has risen, the need for a source of strong encryption keys has increased. One driving force behind this need for encryption keys is the proliferation of Virtual Private Networks (VPNs). VPNs allow private traffic to be shared between VPN sites over a public network by securing the traffic in such a manner that other users of the communication network are not able to see the private traffic. There are several ways to do this, many of which involve encrypting the traffic before transmitting the traffic onto the communication network.
As VPNs increase in size and number, generation of keys by the group members has been replaced by centralized key management systems, referred to herein as Group Control Key Servers (GCKSs). A GCKS may provide many services on the network as well as key generation and management. While a large GCKS on the network may be required to generate thousands or tens of thousands of encryption keys for use by members of one or more Virtual Private Networks. Unfortunately, physical entropy sources are generally unable to provide a sufficient number of random values to generate strong keys for use in this environment, and software entropy sources may be too predictable to provide sufficiently strong encryption keys.